##################################################### # Exploit Title : TCLlib arbitrary TCL execution Vulnerability # Author : Ashiyane Digital Security Team # Date: 21/08/2015 # Tested On : Firefox - Win7 # Link Vulnerability: # http://www.opensource.apple.com/source/tcl/tcl-87/tcl_ext/tcllib/tcllib/installer.tcl # Researcher : Und3rgr0und ##################################################### # Information: # # TCL uses objects called channels to read and write data. The channels can be created # using the open or socket command. There are three standard channels available to # TCL scripts without explicitly creating them. They are automatically opened by # the OS for each new application. They are stdin, stdout and stderr. # The standard input, stdin, is used by the scripts to read data. # The standard output, stdout, is used by scripts to write data. # The standard error, stderr, is used by scripts to write error messages. # ##################################################### # Vulnerability : # # The value of some unfiltered variable is used and evaluated with the GETs . # # If the external variable contains then arbitrary TCL execution is possible. # # The affected input variable: # # proc wait {} { # global config # # if {!$config(wait)} {return} # # puts -nonewline stdout "Is the chosen configuration ok ? y/N: " # flush stdout # set answer [gets stdin] # if {($answer == {}) || [string match "\[Nn\]*" $answer]} { # puts stdout "\tNo. Aborting." # puts stdout "" # exit 0 # } # return # } # #################################################### # Line 6 : # # set answer [gets stdin] # #################################################### # Patch : # # set answer [gets $stdin] # # or # # set answer $stdin # # #################################################### # Discoverd By : Und3rgr0und ####################################################